GDPR To Shake Up Software Development

A new set of regulations regarding data protection comes into force next year. What are the impacts for your business and the data it uses?

As businesses have become ever more reliant on increasing amounts of data to deliver a better service to their customers, the question of how all that information is managed, stored and protected is ever present.

We already have the UK Data Protection Act (1998), but in April 2018, a new EU regulation entitled the General Data Protection Regulation will come into force. And no, in case you were wondering, Brexit will not affect its implementation in the UK.

Here, we take a look at how the new regulations will affect the technological aspects of your business including data storage, software development and other areas.

Personal data

Let’s get this out of the way up front. The biggest game changer is that any data your business uses to derive inferences that are linked to a living person is considered personal data under GDPR.

That means IP addresses, cookie IDs, even metadata. In truth, this is no different to the existing legislation. The difference, however, is that under the GDRP, the rules will be rigorously enforced.

Right now, there is a whole raft of business practices around data monetisation that depend on that data not being considered personal. Fudging it through concepts of weak consent, data reuse and onward transfer is no longer going to cut the mustard.

PET and PbD

Privacy enhancing technology (PET), along with Privacy by Design (PbD), will be mandatory requirements under GDPR. Easily said, but there is no formal definition of exactly what these terms mean.

PbD is generally agreed to be an evidencing step in the software development process that takes into account privacy requirements. In other words, by incorporating PET, you also take care of the PbD.

Two PET techniques that are gaining traction are differential privacy & homomorphic encryption.

Differential privacy seeks to counter the risk of re-identification by injecting noise, to obscure such data as is specific to an individual. Homomorphic encryption allows encrypted data to be analysed through special algorithms that release information. This is a cutting edge approach that is being explored by pioneers in companies like IBM and Fujitsu.

Ensuring compliance

Organisations need to be thinking now about how they can meet the challenge of the GDPR. When it comes into force, there will be an implementation window of just two years.